To run software update processes via ConfigMgr's software updates management, the proxy service account must be a member of the local WSUS Administrators group and the local Administrator's group. To work around security policies that prevent you from adding users to the local Administrator's group, you can give the service account full control over specific items necessary for package publishing.
You must grant the proxy service account access to the RCT Patching content folder. After that, you'll need to give the service account the required Registry permissions and Component Services permissions.
Grant Access to the Patching Content Folder
You'll need to grant MODIFY permissions to the Recast Proxy service account for the Right Click Tools Patching content folder. This is the folder defined on the Environment Settings page's General > Advanced tab as the UNC Path.
Edit Windows Registry Permissions
To edit Windows Registry permissions:
1. Open the Windows Registry Editor on the WSUS server.
2. Right-click on the HKLM\Software\Classes\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} key and select Permissions from the drop-down menu.
3. On the Security tab, click Advanced.
4. In the Advanced Security Settings, change the registry key Owner to the admin user (the user logged in as when doing this change) or admin group.
5. For SYSTEM and Administrators, change Access to 'Full Control'.
6. Click OK to apply your changes.
Edit Component Services Permissions
To edit DCOM permissions:
1. Start the dcomcnfg.exe as an admin.
2. Navigate to Component Services > Computers > My Computer > DCOM Config.
3. Locate the WSusCertServer. Right-click and choose Properties.
4. On the Security tab, set all Permissions to Customize.
NOTE: Configuration Permissions should be set to Customize by default.
5. Edit the Launch and Activation Permissions by adding the Recast Proxy service account (user) and setting all permissions to Allow (Local Launch, Remote Launch, Local Activation, Remote Activation).
6. Edit the Access Permissions by adding the Recast Proxy service account (user) and setting all permissions to Allow (Local Access, Remote Access).
7. Restart the WSusCertServer service.
TIP: After editing the DCOM Config permissions, you can optionally revert registry key ownership to the default owner, NT Service\TrustedInstaller.